How To Restrict Access To 'install.php' Or 'update.php' Files In Drupal Website

By Sandeep Sasikumar | 01st September 2021 | 1 min read

We have come across security issues where the 'install.php' or 'update.php' files present in the Drupal website are accessible even after setting up the website. We will need to make sure that access to these files is restricted. We will limit access to these files by adding the entries to the apache web server configuration or in the htaccess file.

Restricting Access To 'install.php' Or 'update.php' Files In Drupal

In Apache virtual host configuration,

RedirectMatch 403 "/(install|update).php"


In htaccess, change the part as below.

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|cron\.php|install\.php|update\.php|^(CHANGELOG|COPYRIGHT|INSTALL.*|LICENSE|MAINTAINERS|README|UPDATE).txt$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">

The htaccess entries also protect access to cron.php, update.php, web.config and txt files.